AWS‑IReveal‑MCP
Provides a unified interface to AWS services for security investigations and incident response.
AWS‑IReveal‑MCP
AWS‑IReveal‑MCP is a Model Context Protocol (MCP) server designed to give security teams and incident responders a unified interface to AWS services useful for investigation. By connecting AWS‑IReveal‑MCP to any MCP client (such as Claude Desktop or Cline), you can invoke queries and analyses across multiple AWS services without leaving your LLM‑driven workspace.
Features
AWS‑IReveal‑MCP integrates with the following AWS services and functionalities:
- CloudTrail — Management event logs for API activity
- Amazon Athena — SQL queries over CloudTrail logs
- CloudWatch — Operational logs and ad hoc analysis
- Amazon GuardDuty — Threat detection and finding investigation
- AWS Config — Resource configuration history and compliance status
- VPC Flow Logs — Network traffic metadata for forensic analysis
- Network Access Analyzer — Reachability checks across SG/NACL/VPC
- IAM Access Analyzer — Policy and resource‑based access findings
Together, these services let you
- Trace “who did what, when, and where” (CloudTrail, Config)
- Examine detailed data events (Athena)
- Search and visualize logs (CloudWatch, VPC Flow Logs)
- Surface security alerts (GuardDuty, IAM Access Analyzer)
- Verify network reachability and configuration (Network Access Analyzer)
Example Prompts
- analyze activity by IP x.x.x.x in the last 5 days
- analyze activity by role 'sysadmin' in the last 24 hours
- investigate suspicious activity on cloudtrail in the last 7 days on us-west-2
- is there any data event on buckets with name containing 'customers' in the last 7 days?
- investigate cloudwatch logs related to Bedrock
- propose remediations for GuardDuty findings with high risk happened in the last 2 days
- identify non-compliant resources, explain violated rules, and suggest remediation
Installation
Prerequisites
- Install UV with:
curl -Ls https://astral.sh/uv/install.sh | sh
- Clone the repo and set up the environment (this will install the required dependencies):
git clone https://github.com/Brucedh/aws-ireveal-mcp.git
cd aws-ireveal-mcp
uv venv
source .venv/bin/activate
Configuration
Add the following configuration to your MCP client's settings file:
{
"mcpServers": {
"aws-ireveal": {
"command": "uv",
"args": [
"--directory",
"/path_to_your/aws-ireveal-mcp",
"run",
"server.py"
],
"env": {
"AWS_PROFILE": "<YOUR_PROFILE>"
}
}
}
}
Related Servers
Databox MCP
Talk to your data with Databox MCP by enabling agentic analytics, automated data ingestion, and real-time conversational analytics to get proactive recommendations and instant BI answers, not just charts.
Amazon Product Advertising API
Integrates with the Amazon Product Advertising API to search for products.
Shopify
Integrates with the Shopify API to retrieve and manipulate product information.
Terragrunt GCP MCP Tool
Manage Google Cloud Platform (GCP) infrastructure using Terragrunt, with support for experimental features like AutoDevOps and cost management.
Google Ads API v20
Provides full access to the Google Ads API v20. Requires OAuth2 or Service Account credentials for configuration.
Cisco ACI MCP Server
A comprehensive MCP server for configuring and managing Cisco ACI (Application Centric Infrastructure) fabrics through the APIC REST API.
AWS Customer Playbook Advisor MCP
Provides real-time AWS security guidance by fetching official security playbooks from the AWS Customer Playbook Framework GitHub repository.
DataWorks
A Model Context Protocol (MCP) server that provides tools for AI, allowing it to interact with the DataWorks Open API through a standardized interface. This implementation is based on the Aliyun Open API and enables AI agents to perform cloud resources operations seamlessly.
fal-ai/minimax/image-01
Advanced text-to-image generation model using the fal.ai API. Requires a FAL_KEY environment variable.
Graphlit
Ingest anything from Slack to Gmail to podcast feeds, in addition to web crawling, into a searchable Graphlit project.